A security vulnerability put at risk warning sirens across the city of San Francisco, according to a report released by security firm Bastille Networks on April 10.
Bastille said the vulnerability, which it dubbed “SirenJack,” could have enabled an attacker to broadcast a false alarm that would have impacted millions of people. The SirenJack vulnerability specifically impacts warning sirens developed by ATI Systems and is deployed in multiple locations around the United States, including San Francisco. The City of San Francisco had previously announced on April 6 that it was deploying updates to the system in an effort to improve security and minimize potential threats.
Bastille Networks stated that it responsibly disclosed the issue to ATI Systems on Jan. 8.
“Bastille Networks, a company that offers visibility into known and unknown mobile, wireless and IoT [internet of things] devices within an enterprise’s corporate airspace, reported that by monitoring one of our systems for months, they have largely deduced the command format of our packets,” ATI Systems wrote in a statement. “However, we wish to point out these are technically sophisticated people who have devoted significant time and effort to this task. Before customers panic too much, please understand that this is not a trivially easy thing that just anyone can do.”
Balint Seeber, director of vulnerability research at Bastille, spent months studying the radio frequency (RF) signals used by ATI Systems in San Francisco. There are 144 emergency alert sirens spread across San Francisco that are tested regularly.
“What’s interesting with a radio-based system is because it is a shared medium, anyone can listen to traffic,” Seeber told eWEEK. “Whenever you transmit over radio, you’re leaking a bit of information each time that can help to piece together how the system operates.”
Seeber collected the radio signals from the San Francisco emergency sirens’ transmissions using a software-defined radio and wrote some custom code to look for patterns that could lead to an understanding of how signals are sent and received.
“Since the radio traffic was not encrypted, the pattern became obvious,” he said.
Executing an attack against the alarm system would not be as simple as replaying a series of recorded data packets, according to Seeber. Data packets do change, but they change in a predictable manner, he said.
Seeber said he responsibly disclosed the issue to ATI Systems on Jan. 8. He added that Bastille was able to establish a dialogue with ATI Systems to help the company understand the issue and work toward a fix.
Need for Encryption and Authentication
“The core problem is that there is no encryption and no obfuscation, which means that anybody can observe the traffic and deduce the patterns,” Seeber said.
In a good communication system, there is a need for both encryption and authentication to help provide security and prevent unauthorized access, according to Seeber. He noted that from his observations of the San Francisco alert system in recent days, it appears that ATI Systems has hardened the system with multiple improvements to improve security.
IoT Security
The SirenJack issue is not the first time Bastille has reported potential security vulnerabilities in devices.
In 2016, Bastille researchers reported flaws in wireless keyboards they dubbed Keysniffer and a set of vulnerabilities in wireless mice known as MouseJacking. In 2017, Bastille researchers at the DefCon security conference detailed “CableTap” flaws impacting millions of wireless gateways set up by internet service providers.
There are some similarities between the flaws that Bastille had previously reported and the situation with SirenJack.
“This [SirenJack] is another instance of security by obscurity,” Seeber said.
He noted that vendors sometimes decide to have their own custom protocol for command and control and don’t expect that it will be discovered. Obscurity is not a solid approach to security, and it’s important to integrate proper security practices throughout a technology’s workflow, he added.
“The big difference is that we’ve now moved from the realm of consumer devices to public safety, ” Seeber said. “The public needs to have confidence in these systems, so the scale of SirenJack is quite different than the others things we’ve disclosed.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Editor’s Note: This article was updated with information from the City of San Francisco that clarified the number of sirens and when the vulnerability was fixed.